#github-actions (2023-08)
Discussions related to GitHub Actions
2023-08-01
Anyone know of a good way to set a timeout using ecspresso when editing the config file is not an option?
@Igor Rodionov
2023-08-02
GitHub Actions: Required Workflows will move to Repository Rules GitHub Actions: Required Workflows will move to Repository Rules
2023-08-04
[Private Beta] Jenkins Scripted Pipeline Migrations [Private Beta] Jenkins Scripted Pipeline Migrations
2023-08-10
Actions runs triggered from tags or forks with the same name as a protected branch will now be blocked Actions Runs triggered from tags or forks with the same name as a protected branch will now be blocked The post Actions runs triggered from tags or forks with the same name as a protected branch will now be blocked appeared first on The GitHub Blog.
2023-08-15
Anyone who can help with a GitHub Action. I’m trying to check if any relevant files has changed, if so run some test steps, if not just end the pipeline with success to make the GitHub required step pass.
required-test:
name: required-test
runs-on: ubuntu-latest
environment: production
strategy:
fail-fast: false
matrix:
python-version: [ '3.11' ]
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Check if any files changed
id: changed-files
uses: tj-actions/changed-files@v37
with:
files: |
.github/workflows/test_project2.yml
test_project2/**
- name: Run step if no files changed
if: steps.changed-files.outputs.any_changed == 'false'
run: |
echo "No relevant files changed. Return success"
exit 0
- name: Test
run: |
echo "test"
But even with the exit 0 the step Test is run and depending jobs also run. How do I exit the full workflow here?
Didn’t you mean to do exit 1? with exit code 0 it’s a success and the workflow continues. That however fails the run and you may not want that. At the price of duplication if there’s more steps to follow, you can include the condition to every step
if: steps.changed-files.outputs.any_changed == 'true'
I guess this is the very thing you wanted to avoid
you could also split jobs so job1 only runs changed-files action and exposed an output and then job2 runs based on the if condition - no need to duplicate to all steps
My main issue is I want the test job to be required for PR’s. So if files in a certain folder has changed run the tests, if not changed in that folder the test will just return success to make the required test pass in the PR to allow it to be merged into main.
I see, I can’t think of any GHA native way to achieve it
@Dan Miller (Cloud Posse)
I’m not familiar with tj-actions/changed-files , but we do something similiar with Atmos and the github-action-atmos-affected-stacks action
It doesn’t matter how you detect the affected stacks or changed files. You get a bool on the output and the question is what you can do with it to end the pipeline cleanly based on it
this might work https://stackoverflow.com/a/75809743/398012
Yes, I tried this with no success the exit isn’t working
are you looking at the comment that I linked? it doesn’t use exit …
accepted answers can be misleading
Yes
gh run cancel ${{ github.run_id }}
gh run watch ${{ github.run_id }}
This is actually working to stop the workflow, unfortunately I need the test to return success to make the PR checks pass.
2023-08-16
2023-08-18
Looks like our GHA are failing with:
Error saving credentials: error storing credentials - err: exit status 1, out: not implemented
I see multiple issues discussing this (https://github.com/docker/login-action/issues/515), but none of them have an outright solution. Has anyone encountered this?
We’re using https://github.com/cloudposse/github-action-docker-build-push for our build/push
Just a random guess, host machine is out of disk space
doesn’t seem to be the case
@Jeremy G (Cloud Posse) does this ring a bell? I saw you commenting back in 2020 on this issue: https://github.com/awslabs/amazon-ecr-credential-helper/issues/102
@Igor Rodionov
the weird thing is we’ve made no changes to the set up. this is all the same as it was before and it just fails
of course it is right before the very moment we need it lol
@johncblandii know this case
sec
try this
tee -a /github-runners/docker-config.json <<EOF
{
"credHelpers": {
"ecr.us-east-1.amazonaws.com": "ecr-login",
"ecr.us-east-2.amazonaws.com": "ecr-login",
"ecr.us-west-1.amazonaws.com": "ecr-login",
"ecr.us-west-2.amazonaws.com": "ecr-login",
"ecr.af-south-1.amazonaws.com": "ecr-login",
"ecr.ap-east-1.amazonaws.com": "ecr-login",
"ecr.ap-southeast-3.amazonaws.com": "ecr-login",
"ecr.ap-south-1.amazonaws.com": "ecr-login",
"ecr.ap-northeast-3.amazonaws.com": "ecr-login",
"ecr.ap-northeast-2.amazonaws.com": "ecr-login",
"ecr.ap-southeast-1.amazonaws.com": "ecr-login",
"ecr.ap-southeast-2.amazonaws.com": "ecr-login",
"ecr.ap-northeast-1.amazonaws.com": "ecr-login",
"ecr.ca-central-1.amazonaws.com": "ecr-login",
"ecr.eu-central-1.amazonaws.com": "ecr-login",
"ecr.eu-west-1.amazonaws.com": "ecr-login",
"ecr.eu-west-2.amazonaws.com": "ecr-login",
"ecr.eu-south-1.amazonaws.com": "ecr-login",
"ecr.eu-west-3.amazonaws.com": "ecr-login",
"ecr.eu-north-1.amazonaws.com": "ecr-login",
"ecr.me-south-1.amazonaws.com": "ecr-login",
"ecr.sa-east-1.amazonaws.com": "ecr-login"
}
}
add that to the user data?
yea
we have this in there:
mkdir -p /root/.docker
echo '{ "credsStore": "ecr-login" }' >/root/.docker/config.json
mkdir -p /home/ec2-user/.docker
echo '{ "credsStore": "ecr-login" }' >/home/ec2-user/.docker/config.json
should the path match?
no
ok, gotcha
my path is from our module
that docker-config.json should be like that
ok, have to step away, but i’ll run this in a few
For GHA, did you give the job write permission?
permissions:
contents: write
IIRC, in a GitHub Action using official Docker actions, you do not need to have any credential helpers or .docker/config.json, just use the docker/login-action action (which is done for you by cloudposse/github-action-docker-build-push).
yes, it has that
and yes, that’s the action we’re using. it just started failing out of nowhere
There was an outage. Is it still failing?
yes. it started last week
was still failing today
is failing now cuz of the tee above, but i’m pushing a fix
I don’t know, then. I haven’t seen new problems crop up recently.
yeah, reverted and it is still failing
Confirmed this was in place
permissions:
contents: write
id-token: write
cloudposse/[email protected]
confirmed adding credHelpers didn’t help.
I created a reduced test case and docker/login-action continues to fail no matter what I do with the same error:
Error saving credentials: error storing credentials - err: exit status 1, out:
not implementedI’ll see what else I can find out. Definitely the worst timing to hit this bug
just adding here for context as I go.
testing on ubuntu-latest works perfect fine on GHA.
testing on a linux2 bastion and I could easily replicate this problem
I changed this section and everything worked on the bastion. Testing this on the runners as well. So far it looks promising
mkdir -p /root/.docker
echo '{}' >/root/.docker/config.json
mkdir -p /home/ec2-user/.docker
echo '{}' >/home/ec2-user/.docker/config.json
So what changed?
there is a new ami being used with the filter that came out this month
so could be something in that ami
1 sec…
amzn2-ami-hvm-2.0.20230808.0-x86_64-ebs
that date coincides with when i saw some errors
i believe this one was fine amzn2-ami-hvm-2.0.20230727.0-x86_64-ebs
or maybe the one before that. i didn’t track those as i didn’t consider it to be an AMI change
2023-08-21
Repository Actions Runners List Repository Actions Runners List The post Repository Actions Runners List appeared first on The GitHub Blog.
2023-08-22
2023-08-24
Hi, I’m looking for findings regarding github-actions (GA) vs circleci (cci). I’ve used the latter a fair bit (a whole year of cci on some non-trivial pipeline), but my impression is that GA is significantly more powerful than cci overall. Any concrete capabilities in GA that are not or only partially in cci? Limitations in GA that are not in cci? This is for an org that has about 50 repos that build a variety of artifacts (jars, docker images, node modules) and deploy to a few places (AWS ec2 instances, lambdas, soon kubernetes). Migrating from Jenkins, the options so far are cci and GA.
IMO it’s not that GHA is more powerful than CCI, it’s that they’ve done a better job getting rallying the community behind it. there are more workflows/actions that are readily available (this can also be a bad thing because devs sometimes grab workflows without really inspecting them and sometimes use :latest which is a security risk). I think they both have all the features, I just find GHA more intuitive.
Hi Im looking for a way to refresh token for an Assumed role in GHA. We are running batch jobs using github actions and assumed roles and some of the batch jobs are long running up to 36 hours. Assumed roles have a default duration of 1 hour Undwer the assumed role workflow has two jobs with multiple steps.
- Submit Job with aws cli batch job command
- Check Job status
- config aws creds
- check job status loops until job succeeds or fails
After an hour times out with
An error occurred (ExpiredTokenException) when calling the DescribeJobs operation: The security token included in the request is expired"Any help would be appreciated
have you tried OIDC?
OIDC tokens have expiry too
@Max Lobur (Cloud Posse)
On https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container it shows how you can run a GA job in a container. I have a docker image that has build tools in a private repo in AWS ECR, so we need to generate a token (aws ecr get-login-password). Can one job generate the token and the next job uses it? Does this then prevent us from ever re-running individual jobs of a workflow?
@Dan Miller (Cloud Posse)
yes absolutely. Check out this action: https://github.com/docker/login-action#aws-elastic-container-registry-ecr
although we typically use an AWS role that has access to ECR and assume the role with Github OIDC
Thanks @Dan Miller (Cloud Posse)
Btw I found out that if you rerun a job it automatically runs jobs that depend on it (ie have a needs property that points to it). So it might work to re-run the password getter job, this would auto run the job that needs that password.
2023-08-25
2023-08-29
GitHub Actions: Review network access settings for the self-hosted runners GitHub Actions: Review network access settings for the self-hosted runners The post GitHub Actions: Review network access settings for the self-hosted runners appeared first on The GitHub Blog.
Update to Actions usage in Enterprise Managed User namespace repositories Update to Actions usage in Enterprise Managed User namespace repositories The post Update to Actions usage in Enterprise Managed User namespace repositories appeared first on The GitHub Blog.